unicorn 4.1.1 → 4.2.0

data/DESIGN

@@ -31,9 +31,9 @@
 * One master process spawns and reaps worker processes.  The
   Rack application itself is called only within the worker process (but
   can be loaded within the master).  A copy-on-write friendly garbage
-  collector like Ruby Enterprise Edition can be used to minimize memory
-  usage along with the "preload_app true" directive (see
-  Unicorn::Configurator).
+  collector like the one found in Ruby 2.0.0dev or Ruby Enterprise Edition
+  can be used to minimize memory usage along with the "preload_app true"
+  directive (see Unicorn::Configurator).
 
 * The number of worker processes should be scaled to the number of
   CPUs, memory or even spindles you have.  If you have an existing

data/GIT-VERSION-GEN

@@ -1,7 +1,7 @@
 #!/bin/sh
 
 GVF=GIT-VERSION-FILE
-DEF_VER=v4.1.1.GIT
+DEF_VER=v4.2.0.GIT
 
 LF='
 '

data/LICENSE

@@ -1,8 +1,17 @@
 Unicorn is copyrighted free software by all contributors, see logs in
-revision control for names and email addresses of all of them.  You can
-redistribute it and/or modify it under either the terms of the
-{GPL2}[http://www.gnu.org/licenses/gpl-2.0.txt] (see link:COPYING) or
-the conditions below:
+revision control for names and email addresses of all of them.
+
+You can redistribute it and/or modify it under either the terms of the
+GNU General Public License (GPL) as published by the Free Software
+Foundation (FSF), version {3.0}[http://www.gnu.org/licenses/gpl-3.0.txt]
+or version {2.0}[http://www.gnu.org/licenses/gpl-2.0.txt]
+or the Ruby-specific license terms (see below).
+
+The unicorn project leader (Eric Wong) reserves the right to add future
+versions of the GPL (and no other licenses) as published by the FSF to
+the licensing terms.
+
+=== Ruby-specific terms (if you're not using the GPLv2 or GPLv3)
 
   1. You may make and give away verbatim copies of the source form of the
      software without restriction, provided that you duplicate all of the

data/Links

@@ -26,6 +26,9 @@ or services behind them.
 * {raindrops}[http://raindrops.bogomips.org/] - real-time stats for
   preforking Rack servers
 
+* {UnXF}[http://bogomips.org/unxf/]  Un-X-Forward* the Rack environment,
+  useful since unicorn is designed to be deployed behind a reverse proxy.
+
 === \Unicorn is written to work with
 
 * {Rack}[http://rack.rubyforge.org/] - a minimal interface between webservers

data/README

@@ -62,9 +62,9 @@ both the the request and response in between \Unicorn and slow clients.
 \Unicorn is copyright 2009 by all contributors (see logs in git).
 It is based on Mongrel 1.1.5 and carries the same license.
 
-Mongrel is copyright 2007 Zed A. Shaw and contributors. It is licensed
-under the Ruby (1.8) license and the GPL2. See the included LICENSE file
-for details.
+Mongrel is copyright 2007 Zed A. Shaw and contributors. It is
+tri-licensed under (your choice) of the GPLv3, GPLv2 or Ruby-specific
+terms.  See the included LICENSE file for details.
 
 \Unicorn is 100% Free Software.
 

data/Rakefile

@@ -49,7 +49,7 @@ task :fm_update do
   require 'net/netrc'
   require 'json'
   version = ENV['VERSION'] or abort "VERSION= needed"
-  uri = URI.parse('http://freshmeat.net/projects/unicorn/releases.json')
+  uri = URI.parse('http://freecode.com/projects/unicorn/releases.json')
   rc = Net::Netrc.locate('unicorn-fm') or abort "~/.netrc not found"
   api_token = rc.password
   _, subject, body = `git cat-file tag v#{version}`.split(/\n\n/, 3)

data/examples/unicorn.conf.rb

@@ -40,7 +40,7 @@ pid "/path/to/app/shared/pids/unicorn.pid"
 stderr_path "/path/to/app/shared/log/unicorn.stderr.log"
 stdout_path "/path/to/app/shared/log/unicorn.stdout.log"
 
-# combine REE with "preload_app true" for memory savings
+# combine Ruby 2.0.0dev or REE with "preload_app true" for memory savings
 # http://rubyenterpriseedition.com/faq.html#adapt_apps_for_cow
 preload_app true
 GC.respond_to?(:copy_on_write_friendly=) and

data/ext/unicorn_http/unicorn_http.rl

@@ -1,7 +1,8 @@
 /**
  * Copyright (c) 2009 Eric Wong (all bugs are Eric's fault)
  * Copyright (c) 2005 Zed A. Shaw
- * You can redistribute it and/or modify it under the same terms as Ruby.
+ * You can redistribute it and/or modify it under the same terms as Ruby 1.8 or
+ * the GPLv3
  */
 #include "ruby.h"
 #include "ext_help.h"

data/lib/unicorn/app/inetd.rb

@@ -1,7 +1,8 @@
 # -*- encoding: binary -*-
 # :enddoc:
 # Copyright (c) 2009 Eric Wong
-# You can redistribute it and/or modify it under the same terms as Ruby.
+# You can redistribute it and/or modify it under the same terms as Ruby 1.8 or
+# the GPLv3
 
 # this class *must* be used with Rack::Chunked
 module Unicorn::App

data/lib/unicorn/app/old_rails.rb

@@ -4,7 +4,8 @@
 # This code is based on the original Rails handler in Mongrel
 # Copyright (c) 2005 Zed A. Shaw
 # Copyright (c) 2009 Eric Wong
-# You can redistribute it and/or modify it under the same terms as Ruby.
+# You can redistribute it and/or modify it under the same terms as Ruby 1.8 or
+# the GPLv3
 # Additional work donated by contributors.  See CONTRIBUTORS for more info.
 require 'unicorn/cgi_wrapper'
 require 'dispatcher'

data/lib/unicorn/app/old_rails/static.rb

@@ -3,7 +3,8 @@
 # This code is based on the original Rails handler in Mongrel
 # Copyright (c) 2005 Zed A. Shaw
 # Copyright (c) 2009 Eric Wong
-# You can redistribute it and/or modify it under the same terms as Ruby.
+# You can redistribute it and/or modify it under the same terms as Ruby 1.8 or
+# the GPLv3
 
 # Static file handler for Rails < 2.3.  This handler is only provided
 # as a convenience for developers.  Performance-minded deployments should

data/lib/unicorn/cgi_wrapper.rb

@@ -4,7 +4,8 @@
 # This code is based on the original CGIWrapper from Mongrel
 # Copyright (c) 2005 Zed A. Shaw
 # Copyright (c) 2009 Eric Wong
-# You can redistribute it and/or modify it under the same terms as Ruby.
+# You can redistribute it and/or modify it under the same terms as Ruby 1.8 or
+# the GPLv3
 #
 # Additional work donated by contributors.  See CONTRIBUTORS for more info.
 

data/lib/unicorn/configurator.rb

@@ -1,5 +1,6 @@
 # -*- encoding: binary -*-
 require 'logger'
+require 'unicorn/ssl_configurator'
 
 # Implements a simple DSL for configuring a \Unicorn server.
 #
@@ -12,6 +13,7 @@ require 'logger'
 # See the link:/TUNING.html document for more information on tuning unicorn.
 class Unicorn::Configurator
   include Unicorn
+  include Unicorn::SSLConfigurator
 
   # :stopdoc:
   attr_accessor :set, :config_file, :after_reload
@@ -186,7 +188,8 @@ class Unicorn::Configurator
   #    }
   def timeout(seconds)
     set_int(:timeout, seconds, 3)
-    max = 0x7ffffffe # Rainbows! adds one second to this for safety
+    # POSIX says 31 days is the smallest allowed maximum timeout for select()
+    max = 30 * 60 * 60 * 24
     set[:timeout] = seconds > max ? max : seconds
   end
 
@@ -563,13 +566,16 @@ private
     end
   end
 
-  def set_bool(var, bool) #:nodoc:
+  def check_bool(var, bool) # :nodoc:
     case bool
     when true, false
-      set[var] = bool
-    else
-      raise ArgumentError, "#{var}=#{bool.inspect} not a boolean"
+      return bool
     end
+    raise ArgumentError, "#{var}=#{bool.inspect} not a boolean"
+  end
+
+  def set_bool(var, bool) #:nodoc:
+    set[var] = check_bool(var, bool)
   end
 
   def set_hook(var, my_proc, req_arity = 2) #:nodoc:

data/lib/unicorn/const.rb

@@ -8,7 +8,7 @@
 # improve things much compared to constants.
 module Unicorn::Const
 
-  UNICORN_VERSION = "4.1.1"
+  UNICORN_VERSION = "4.2.0"
 
   # default TCP listen host address (0.0.0.0, all interfaces)
   DEFAULT_HOST = "0.0.0.0"

data/lib/unicorn/http_server.rb

@@ -1,4 +1,5 @@
 # -*- encoding: binary -*-
+require "unicorn/ssl_server"
 
 # This is the process manager of Unicorn. This manages worker
 # processes which in turn handle the I/O and application process.
@@ -19,6 +20,7 @@ class Unicorn::HttpServer
   attr_reader :pid, :logger
   include Unicorn::SocketHelper
   include Unicorn::HttpResponse
+  include Unicorn::SSLServer
 
   # backwards compatibility with 1.x
   Worker = Unicorn::Worker
@@ -282,7 +284,7 @@ class Unicorn::HttpServer
       when :USR2 # exec binary, stay alive in case something went wrong
         reexec
       when :WINCH
-        if Process.ppid == 1 || Process.getpgrp != $$
+        if Unicorn::Configurator::RACKUP[:daemonized]
           respawn = false
           logger.info "gracefully stopping all workers"
           kill_each_worker(:QUIT)
@@ -445,7 +447,7 @@ class Unicorn::HttpServer
     now = Time.now.to_i
     WORKERS.dup.each_pair do |wpid, worker|
       tick = worker.tick
-      0 == tick and next # skip workers that are sleeping
+      0 == tick and next # skip workers that haven't processed any clients
       diff = now - tick
       tmp = @timeout - diff
       if tmp >= 0
@@ -563,6 +565,8 @@ class Unicorn::HttpServer
     self.timeout /= 2.0 # halve it for select()
     @config = nil
     build_app! unless preload_app
+    ssl_enable!
+    @after_fork = @listener_opts = @orig_app = nil
   end
 
   def reopen_worker_logs(worker_nr)
@@ -618,9 +622,8 @@ class Unicorn::HttpServer
       # timeout used so we can detect parent death:
       worker.tick = Time.now.to_i
       ret = IO.select(l, nil, SELF_PIPE, @timeout) and ready = ret[0]
-    rescue Errno::EBADF
-      nr < 0 or return
     rescue => e
+      redo if nr < 0 && (Errno::EBADF === e || IOError === e) # reopen logs
       Unicorn.log_error(@logger, "listen loop error", e) if worker
     end while worker
   end

data/lib/unicorn/oob_gc.rb

@@ -61,7 +61,9 @@ module Unicorn::OobGC
     if OOBGC_PATH =~ OOBGC_ENV[PATH_INFO] && ((@@nr -= 1) <= 0)
       @@nr = OOBGC_INTERVAL
       OOBGC_ENV.clear
+      disabled = GC.enable
       GC.start
+      GC.disable if disabled
     end
   end
 

data/lib/unicorn/socket_helper.rb

@@ -51,7 +51,10 @@ module Unicorn
     end
 
     def set_tcp_sockopt(sock, opt)
-      # highly portable, but off by default because we don't do keepalive
+      # just in case, even LANs can break sometimes.  Linux sysadmins
+      # can lower net.ipv4.tcp_keepalive_* sysctl knobs to very low values.
+      sock.setsockopt(SOL_SOCKET, SO_KEEPALIVE, 1) if defined?(SO_KEEPALIVE)
+
       if defined?(TCP_NODELAY)
         val = opt[:tcp_nodelay]
         val = DEFAULTS[:tcp_nodelay] if nil == val

data/lib/unicorn/ssl_client.rb

@@ -0,0 +1,6 @@
+# -*- encoding: binary -*-
+# :stopdoc:
+class Unicorn::SSLClient < Kgio::SSL
+  alias write kgio_write
+  alias close kgio_close
+end

data/lib/unicorn/ssl_configurator.rb

@@ -0,0 +1,104 @@
+# -*- encoding: binary -*-
+# :stopdoc:
+# This module is included in Unicorn::Configurator
+# :startdoc:
+#
+module Unicorn::SSLConfigurator
+  def ssl(&block)
+    ssl_require!
+    before = @set[:listeners].dup
+    opts = @set[:ssl_opts] = {}
+    yield
+    (@set[:listeners] - before).each do |address|
+      (@set[:listener_opts][address] ||= {})[:ssl_opts] = opts
+    end
+    ensure
+      @set.delete(:ssl_opts)
+  end
+
+  def ssl_certificate(file)
+    ssl_set(:ssl_certificate, file)
+  end
+
+  def ssl_certificate_key(file)
+    ssl_set(:ssl_certificate_key, file)
+  end
+
+  def ssl_client_certificate(file)
+    ssl_set(:ssl_client_certificate, file)
+  end
+
+  def ssl_dhparam(file)
+    ssl_set(:ssl_dhparam, file)
+  end
+
+  def ssl_ciphers(openssl_cipherlist_spec)
+    ssl_set(:ssl_ciphers, openssl_cipherlist_spec)
+  end
+
+  def ssl_crl(file)
+    ssl_set(:ssl_crl, file)
+  end
+
+  def ssl_prefer_server_ciphers(bool)
+    ssl_set(:ssl_prefer_server_ciphers, check_bool(bool))
+  end
+
+  def ssl_protocols(list)
+    ssl_set(:ssl_protocols, list)
+  end
+
+  def ssl_verify_client(on_off_optional)
+    ssl_set(:ssl_verify_client, on_off_optional)
+  end
+
+  def ssl_session_timeout(seconds)
+    ssl_set(:ssl_session_timeout, seconds)
+  end
+
+  def ssl_verify_depth(depth)
+    ssl_set(:ssl_verify_depth, depth)
+  end
+
+  # Allows specifying an engine for OpenSSL to use.  We have not been
+  # able to successfully test this feature due to a lack of hardware,
+  # Reports of success or patches to mongrel-unicorn@rubyforge.org is
+  # greatly appreciated.
+  def ssl_engine(engine)
+    ssl_warn_global(:ssl_engine)
+    ssl_require!
+    OpenSSL::Engine.load
+    OpenSSL::Engine.by_id(engine)
+    @set[:ssl_engine] = engine
+  end
+
+  def ssl_compression(bool)
+    # OpenSSL uses the SSL_OP_NO_COMPRESSION flag, Flipper follows suit
+    # with :ssl_no_compression, but we negate it to avoid exposing double
+    # negatives to the user.
+    ssl_set(:ssl_no_compression, check_bool(:ssl_compression, ! bool))
+  end
+
+private
+
+  def ssl_warn_global(func) # :nodoc:
+    Hash === @set[:ssl_opts] or return
+    warn("`#{func}' affects all SSL contexts in this process, " \
+         "not just this block")
+  end
+
+  def ssl_set(key, value) # :nodoc:
+    cur = @set[:ssl_opts]
+    Hash === cur or
+             raise ArgumentError, "#{key} must be called inside an `ssl' block"
+    cur[key] = value
+  end
+
+  def ssl_require! # :nodoc:
+    require "flipper"
+    require "unicorn/ssl_client"
+    rescue LoadError
+      warn "install 'kgio-monkey' for SSL support"
+      raise
+  end
+end

data/lib/unicorn/ssl_server.rb

@@ -0,0 +1,42 @@
+# -*- encoding: binary -*-
+# :stopdoc:
+# this module is meant to be included in Unicorn::HttpServer
+# It is an implementation detail and NOT meant for users.
+module Unicorn::SSLServer
+  attr_accessor :ssl_engine
+
+  def ssl_enable!
+    sni_hostnames = rack_sni_hostnames(@app)
+    seen = {} # we map a single SSLContext to multiple listeners
+    listener_ctx = {}
+    @listener_opts.each do |address, address_opts|
+      ssl_opts = address_opts[:ssl_opts] or next
+      listener_ctx[address] = seen[ssl_opts.object_id] ||= begin
+        unless sni_hostnames.empty?
+          ssl_opts = ssl_opts.dup
+          ssl_opts[:sni_hostnames] = sni_hostnames
+        end
+        ctx = Flipper.ssl_context(ssl_opts)
+        # FIXME: make configurable
+        ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
+        ctx
+      end
+    end
+    Unicorn::HttpServer::LISTENERS.each do |listener|
+      ctx = listener_ctx[sock_name(listener)] or next
+      listener.extend(Kgio::SSLServer)
+      listener.ssl_ctx = ctx
+      listener.kgio_ssl_class = Unicorn::SSLClient
+    end
+  end
+
+  # ugh, this depends on Rack internals...
+  def rack_sni_hostnames(rack_app) # :nodoc:
+    hostnames = {}
+    if Rack::URLMap === rack_app
+      mapping = rack_app.instance_variable_get(:@mapping)
+      mapping.each { |hostname,_,_,_| hostnames[hostname] = true }
+    end
+    hostnames.keys
+  end
+end

data/script/isolate_for_tests

@@ -16,10 +16,13 @@ opts = {
 
 pid = fork do
   Isolate.now!(opts) do
-    gem 'sqlite3-ruby', '1.2.5'
-    gem 'raindrops', '0.7.0'
-    gem 'kgio', '2.6.0'
-    gem 'rack', '1.3.2'
+    if RUBY_VERSION.to_f < 2.0
+      gem 'sqlite3-ruby', '1.2.5'
+    end
+    gem 'raindrops', '0.8.0'
+    gem 'kgio-monkey', '0.3.0'
+    gem 'kgio', '2.7.2'
+    gem 'rack', '1.4.1'
   end
 end
 _, status = Process.waitpid2(pid)